Google has paid security researchers over $15 million for bug bounties, $3.4 million in 2018 alone

Emil Protalinski

1 month ago

Google today announced it has paid out over $15 million since launching its bug bounty program in November 2010. In the past year alone, the company distributed $3.4 million to 317 different security researchers, slightly up from the $2.9 million it gave to 274 researchers the year before. Google awarded half of last year’s rewards — $1.7 million — to researchers who found and reported vulnerabilities in Android and Chrome.

Bug bounty programs are a great complement to existing internal security programs. They help motivate individuals and groups of hackers to not only find flaws but disclose them properly, instead of using them maliciously or selling them to parties that will. Rewarding security researchers with bounties costs peanuts compared to paying for a serious security snafu.

Google’s financial rewards for security bugs range from $100 to $200,000, based on the risk level of the discovery. In 2018, however, the biggest single reward was $41,000.

Google also shared three stories about its bug bounty program in 2018:

Tomasz Bojarski from Poland discovered a bug related to cross-site scripting (XSS), a type of security bug that can allow an attacker to change the behavior or appearance of a website, steal private data, or perform actions on behalf of the user. Tomasz was last year’s top bug hunter and used his reward money to open a lodge and restaurant.

Dzmitry Lukyanenka, a researcher from Minsk, Belarus, was rewarded $1,337 for discovering multiple bugs. After he lost his job, he began bug hunting full-time and became part of Google’s VRP grants program, which provides financial support for prolific bug-hunters even when they’re not finding and reporting a bug.

In November, Google announced the Security and Privacy research awards to recognize academics who have made major contributions to the field with their research projects. Today the company announced the 2018 winners: